Regulation and Compliance Cybersecurity

New York Life Joins MOVEit Breach Notice List

News August 15, 2023 at 04:22 PM
Share & Print

New York Life Insurance Co. has joined the long list of life insurance companies that have filed data breach notices with state regulators in connection with the Cl0p attack on MOVEit, a popular file transfer tool.

New York Life believes the attack may have exposed the personal information, including Social Security numbers, of 25,685 of its customers, according to a version of the notice posted by the Maine attorney general's office last week.

Vendors that serve New York Life and other companies use MOVEit to move large batches of the sensitive personal information used to administer insurance policyholder, annuity contract holder and pension plan participant information. Cl0p succeeded at stealing large batches of the data by finding a weakness in MOVEit and burrowing into the servers used to provide the MOVEit services.

Bert Kondruss, managing director of KonBriefing Research, estimates that MOVEit-related breach reports show the attack has affected at least 677 organizations and 41 million people around the world.

What It Means

Clients with a life insurance policy, an annuity or a retirement plan account may have already shown you a breach notice, or will show you a breach notice, and ask you what to do about it.

The Players

New York Life and most other life insurers that have filed MOVEit breach reports were affected because they employed Pension Benefit Information to help them keep track of insureds and plan participants.

PBI used MOVEit, a system provided by Progress Software Corp., to manage the data files supporting the tracking process.

"We recently learned of a security incident related to a third-party vendor," New York Life said in a comment on the breach. "This is a matter we take very seriously. The appropriate authorities were notified, as were the affected individuals."

A MOVEit system representative said the organization does not comment on pending litigation. "Our focus remains on working closely with customers so they can take the steps needed to further harden their environments, including applying the patches we have developed," the representative said.

The Immediate Impact

For clients, the immediate impact will be offers of free access to identity monitoring services.

New York Life, for example, is offering 12 months of identity monitoring services from Kroll.

Many other insurers are offering 12 to 24 months of Kroll services, or similar types of services from vendors such as Experian.

Clients may ask whether the identity services are legitimate and about what the identity monitoring services will do with their information.

The Litigation

Genworth Financial attracted attention from plaintiffs' attorneys because it was the first life and annuity issuer to file a MOVEit breach notice with the U.S. Securities and Exchange Commission.

Eric Forni, an attorney with DLA Piper, said in a declaration filed Aug. 9 in connection with a MOVEit suit filed in federal court in Massachusetts — Anastasio v. Progress Software, PBI Research Services and Genworth Financial — that at least three plaintiffs have filed federal suits naming Genworth as a plaintiff along with Progress Software, PBI or both Progress Software and PBI.

Forni also listed 40 similar MOVEit suits and noted that efforts are underway to consolidate the litigation in the U.S. District Court for Minnesota, in Minneapolis.

Forni is representing Progress Software, PBI and Genworth in the Anastasio case.

The U.S. Judicial Panel on Multidistrict Litigation plans to hold a hearing on proposals for consolidating the litigation Sept. 28 in Lexington, Kentucky.

The Long-Term Impact

The Innovation Cybersecurity and Technology Committee of the National Association of Insurance Commissioners held an in-person session at the NAIC's meeting in Seattle on Sunday.

The Cl0p attack did not show up on the agenda or in the meeting packets.

Eventually, the Cl0p attack could draw attention to efforts by the NAIC's Cybersecurity Working Group, Privacy Protections Working Group and other NAIC bodies to set and update rules for outside vendors, or "third-party service providers," that have access to insurers' customer data files.

An NAIC tracking map shows that nine states are working on bills based on the NAIC's existing Insurance Data Security model law.

Illinois, for example, now has a law based on the model that will take effect in 2024.

The new law requires an insurer to "exercise due diligence in selecting its third-party service provider," and it requires third-party service providers to protect and secure an insurer's information systems and nonpublic information.

Credit: Shutterstock

SECAnnuity Investing
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Lawsuit: Schwab, BofA Failed to Protect Older Couple Scammed Out of $18.5M Globe Life Reports Extortion Threat Involving Customer Data Banks Brace for Era of Consumer Data Sharing Fidelity Reports Data Breach Hitting 77,000 Clients Wells Fargo Client Sues Over Data Breach How Advisors Plan to Use Tech to Boost Growth: Schwab

Resource Center

Can Systematic Risk Be Reduced? link

Guide

Can Systematic Risk Be Reduced?

The Business Model Playbook: Mastering Technology for Firm Success link

Playbook

The Business Model Playbook: Mastering Technology for Firm Success

Harnessing AI to Power Advisor-Client Relationships link

White Paper

Harnessing AI to Power Advisor-Client Relationships